I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-27-Fake-Flash-NetSupport-RAT-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

• plastibond.com – COMPROMISED SITE
• 23.152.0.118 – track.amishbrand.com – WILL NOT INFECT IF DOMAIN IS BLOCKED
• 84.200.17.21 – scene.timbervalleyfarm.com – DOMAIN HOSTING FAKE FLASH
• DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT MANAGER RAT
• 185.243.112.38 – pn.dr906090.com POST /index.aspx – POST INFECT TRAFFIC
• SCREENCAST GET /users/seg.net90/folders/serg_90_09022018/media/339d4871-0ad4-41bf-86ab-17fb5364e24e/desktop.ini.lnk?downloadOnly=true –  DOMAIN HOSTING NETSUPPORT MANAGER RAT INSTALLER
• 179.43.186.90 – POST http://179.43.186.90/fakeurl.htm – NETSUPPORT MANAGER RAT C2

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: DNS traffic associated with Fake Flash Player update and NetSupport  Manager RAT

Shown above: Script for domain hosting fake flash content

Shown above: Fake Flash Player pop-up which leads to NetSupport Manager RAT

Shown above: Fake Chrome update when visiting compromised site using Chrome browser

Shown above: NetSupport RAT installer hosted on screencast

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH UPDATE:

• update.js – JavaScript to download NetSupport Manager RAT
  VirusTotal Link
• z7a.exe – NetSupport Manager RAT Installer
  VirusTotal Link
• client32.exe – NetSupport Manager Client
  C:\Users\USERNAME\AppData\Roaming\ManifestStore
  VirusTotal Link